Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@mcp-activedirectoryshow me the members of the IT Support group"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
mcp-activedirectory
A Model Context Protocol (MCP) server for Microsoft Active Directory, providing AI assistants with access to on-prem AD (via LDAP) and Azure AD / Entra ID (via Microsoft Graph API).
Features
Supports two modes simultaneously:
On-prem Active Directory — connects to a domain controller via LDAP/LDAPS using the
ldaptslibraryAzure AD / Entra ID — connects via the Microsoft Graph API using OAuth2 Client Credentials
18 tools across five categories:
User Management
Tool | Description |
| List users with optional name, email, or department filter |
| Get full user details including decoded UAC flags (on-prem) or full profile (Azure AD) |
| List all groups a user is a member of |
| Advanced search by name, email, department, title, phone, or UPN |
Group Management
Tool | Description |
| List groups with optional name filter |
| Get group details including member count and decoded group type |
| List all group members; supports recursive nested group expansion (on-prem) |
| Search groups by name or description |
Computer Accounts (On-prem AD only)
Tool | Description |
| List computer accounts with OS, last logon (human-readable), and OU |
| Get full computer account details |
| Search by name, OS, OU path, DNS hostname, or description |
Organizational Units (On-prem AD only)
Tool | Description |
| List OUs with full path, sorted by depth |
| Get OU details |
| Search OUs by name, description, or parent path |
Azure AD / Entra ID (Azure AD only)
Tool | Description |
| List Entra ID registered/joined devices with OS and compliance status |
| Get full device details by object ID |
| List app registrations and service principals |
| Get last sign-in information for a user |
Installation
git clone git@github.com:fredriksknese/mcp-activedirectory.git
cd mcp-activedirectory
npm install
npm run buildConfiguration
The server is configured via environment variables. At least one of AD_HOST or AZURE_TENANT_ID must be set.
On-prem Active Directory (LDAP)
Variable | Required | Default | Description |
| Yes | — | Domain controller hostname or IP address |
| No |
| LDAP port ( |
| No |
| Use LDAPS ( |
| Yes | — | Bind DN, e.g. |
| Yes | — | Bind account password |
| Yes | — | Base DN for all searches, e.g. |
| No |
| Accept self-signed TLS certificates |
Azure AD / Entra ID (Microsoft Graph API)
Variable | Required | Default | Description |
| Yes | — | Azure AD tenant ID (GUID) |
| Yes | — | App registration (client) ID |
| Yes | — | App registration client secret |
Required Permissions
On-prem Active Directory
The service account (AD_BIND_DN) needs read access to the directory. The minimum required permissions are:
Read on User objects (all attributes listed below)
Read on Group objects
Read on Computer objects
Read on OrganizationalUnit objects
Recommended: add the service account to the built-in Domain Users group and grant Read delegated permissions on the domain root, or use the built-in Read-only Domain Controllers access pattern.
Attributes read for users: cn, sAMAccountName, displayName, mail, userPrincipalName, department, title, telephoneNumber, mobile, manager, memberOf, userAccountControl, lastLogon, whenCreated, whenChanged, description, distinguishedName, objectGUID
Azure AD / Entra ID (Microsoft Graph)
Create an App Registration in Azure AD and grant the following Application permissions (not Delegated):
Permission | Scope | Required for |
| Microsoft Graph | Reading user profiles and group memberships |
| Microsoft Graph | Reading groups and group members |
| Microsoft Graph | Reading Entra ID registered/joined devices |
| Microsoft Graph | Reading sign-in activity ( |
Grant Admin Consent for all permissions in the Azure portal.
Usage with Claude Desktop
Add to your claude_desktop_config.json:
On-prem AD only
{
"mcpServers": {
"activedirectory": {
"command": "node",
"args": ["/absolute/path/to/mcp-activedirectory/dist/index.js"],
"env": {
"AD_HOST": "dc01.corp.example.com",
"AD_BIND_DN": "CN=svc-mcp,OU=Service Accounts,DC=corp,DC=example,DC=com",
"AD_BIND_PASSWORD": "your-service-account-password",
"AD_BASE_DN": "DC=corp,DC=example,DC=com"
}
}
}
}Azure AD / Entra ID only
{
"mcpServers": {
"activedirectory": {
"command": "node",
"args": ["/absolute/path/to/mcp-activedirectory/dist/index.js"],
"env": {
"AZURE_TENANT_ID": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"AZURE_CLIENT_ID": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"AZURE_CLIENT_SECRET": "your-client-secret"
}
}
}
}Both simultaneously
{
"mcpServers": {
"activedirectory": {
"command": "node",
"args": ["/absolute/path/to/mcp-activedirectory/dist/index.js"],
"env": {
"AD_HOST": "dc01.corp.example.com",
"AD_BIND_DN": "CN=svc-mcp,OU=Service Accounts,DC=corp,DC=example,DC=com",
"AD_BIND_PASSWORD": "your-service-account-password",
"AD_BASE_DN": "DC=corp,DC=example,DC=com",
"AZURE_TENANT_ID": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"AZURE_CLIENT_ID": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"AZURE_CLIENT_SECRET": "your-client-secret"
}
}
}
}Usage with Claude Code
claude mcp add activedirectory -- node /absolute/path/to/mcp-activedirectory/dist/index.jsLDAPS / SSL Configuration
To use LDAPS (port 636):
"env": {
"AD_HOST": "dc01.corp.example.com",
"AD_PORT": "636",
"AD_USE_SSL": "true",
"AD_ALLOW_SELF_SIGNED": "true"
}Set AD_ALLOW_SELF_SIGNED to "false" if your domain controller uses a certificate from a trusted CA.
Example Prompts
Once connected, you can ask your AI assistant things like:
"List all users in the IT department"
"Get details for user jdoe including their group memberships"
"Which groups does john.doe@company.com belong to?"
"Show me all members of the Domain Admins group"
"List all Windows Server 2022 computers in the Servers OU"
"Which computer accounts haven't logged in since 2024?"
"Show me the top-level OUs in the domain"
"List all Azure AD joined devices"
"When did user@company.com last sign in?"
"List all service principals of type ManagedIdentity"
Architecture
src/
├── index.ts # Entry point — creates MCP server + STDIO transport
├── ad-client.ts # LDAP client wrapping ldapts for on-prem AD
├── graph-client.ts # Microsoft Graph API client with OAuth2 token caching
└── tools/
├── users.ts # User tools (list, get, search, groups) — AD + Azure
├── groups.ts # Group tools (list, get, members, search) — AD + Azure
├── computers.ts # Computer account tools — on-prem AD only
├── ous.ts # Organizational unit tools — on-prem AD only
└── azure.ts # Azure-specific tools (devices, service principals, sign-in)Development
npm run dev # Run with tsx (no compilation needed)
npm run build # Compile TypeScript to dist/
npm start # Run compiled outputRequirements
Node.js 18+
For on-prem AD: network access to a domain controller on port 389 (LDAP) or 636 (LDAPS)
For Azure AD: an App Registration with the required Graph API permissions
License
SEE LICENSE IN LICENSE
This server cannot be installed
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.